论文信息 - Second Preimages for SMASH

Second Preimages for SMASH

This article presents a rare case of a deterministic second preimage attack on a cryptographic hash function. Using the notion of controllable output differences, we show how to construct second preimages for the SMASH hash functions. If the given preimage contains at least n+1 blocks, where n is the output length of the hash function in bits, then the attack is deterministic and requires only to solve a set of n linear equations. For shorter preimages, the attack is probabilistic.

Vincent Rijmen | Mario Lamberger | Christian Rechberger | Norbert Pramstaller

[1] Hans Dobbertin,et al. The First Two Rounds of MD4 are Not One-Way , 1998, FSE.

[2] Alfred Menezes,et al. Handbook of Applied Cryptography , 2018 .

[3] Vincent Rijmen,et al. Breaking a New Hash Function Design Strategy Called SMASH , 2005, Selected Areas in Cryptography.

[4] Vincent Rijmen,et al. The WHIRLPOOL Hashing Function , 2003 .

[5] Thomas Shrimpton,et al. Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[6] John Black,et al. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[7] Xiaoyun Wang,et al. The Second-Preimage Attack on MD4 , 2005, CANS.

[8] Vincent Rijmen,et al. A New MAC Construction ALRED and a Specific Instance ALPHA-MAC , 2005, FSE.

[9] Lars R. Knudsen,et al. Preimage and Collision Attacks on MD2 , 2005, FSE.

[10] Joos Vandewalle,et al. Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[11] Lars R. Knudsen. SMASH - A Cryptographic Hash Function , 2005, FSE.

[12] Xiaoyun Wang,et al. Finding Collisions in the Full SHA-1 , 2005, CRYPTO.